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Abstract 

The quantum computer (QC) algorithm by Peter Shor [2j for factorization 
of integers is studied. The quantum nature of a QC makes its outcome 
random. The output probability distribution is investigated and the chances 
of a successful operation is determined. 

1 Introduction 

To determine the prime factors p\ and p2 of an integer n = p\ ■ p2 by the 
Shor algorithm [2] a random integer 1 < x < n is generated and an esti- 
mate of the order of x (mod n) i e. the least positive integer r satisfying 
x r = 1 (mod n) is determined from the QC output state. The QC contains 
quantum circuitry calculating the function f(a) = x a (mod n) and perform- 
ing a Quantum Fourier Transform (QFT). It uses two registers one of size 
qA = |~21og 2 n] qubits, which is read out, and one of size qs = |~log 2 n] 
containing the function /(a). If n is a m bit number q^ = 2m. There are 
N = 2 qA possible output states of register A each of which can be repre- 
sented a binary number c. From the QC output c the factors p\ and p2 can 
be determined, under certain conditions, by operations on c by an ordinary 
digital computer 

The critical parameter is the integer x since the quantum circuitry is 
constructed for a specific value of x. It is shown in the sequel that an x 
generated randomly from a uniform distribution can be expected to work 
with probability 2/3, independent of computer size. 
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2 Quantum Computer operations 

To factorize a number n by the Shor algorithm a random number x is gen- 
erated and quantum circuitry implementing the function x a (mod n) is de- 
signed. As a first step a superimposed state is produced 

1 N ^ 

|*1>= — p= y |o> |x a (mod n)> (1) 



a=0 



Applying the QFT to the state \a> yields 

N-l 

'N 



a> => -L V e 2 ™^ |6> (2) 

6=0 

and the state \^>i> is transformed into 
^ iV-lJV-l 

|*2>= - ^ J] exp(2vria6/Af)|6> |x a (mod n)> (3) 

a=0 b=0 

The state \ i &2> is measured in the reference coordinate system. 

The probability that a particular state \c, x fc (mod n)> is observed is 

P(c,k) = \jj y exp(2vrmc/iV)| 2 (4) 

a:a; a =x' s 

Since x has order r all a : < a < N — 1 of the form a = mr + k satisfies 
x a = x k . Solving for m gives m < M with M = |_(iV — — where [_ j 

denotes integer part. From Q follows 



1 M 

P(c,fc) = | — y exp(2™(er + A;)c/iV)| 2 (5) 



e=0 

A factor exp(2nkc/N) of magnitude one can be factored out and 

M 



1 M 

P(c,fc) = |-y exp(2^erc/iV)| 2 (6) 



e=0 

This is a geometric series which can be summed. The result is 

1 |exp(2vri(M + l)rc/N) - 1| 2 



P(c,k) 



N 2 \exp(2irirc/N) - 1| 2 

1 sin 2 [vr(M + l)rc/N] 
iV 2 sin 2 [vrrc/iV] 



(7) 
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Figure 1: 

Probability distribution P(c) of the Quantum Computer output 
state number c. The integer to factorize n = 21 and the auxiliary 
integer x = 10. The order of x (mod n) is r = 6. The size of the 
computer is qA = 8 qubits corresponding to N = 256. 



The probability that the quantum computer ends in state |c> is 

1 ^ sin 2 [n{M + l)rc/N] 
N2 f^ sm 2 [7rrc/N] {) 

The parameter M = [(N — k — l)/rj. Let ko be the smallest integer such 
that 

l(N -k - l)/rj = [(N - r)/r\ = M 

Then 

_fcp_ sin 2 [7r(M + l)rc/iV] r - k sm 2 [7rM rc/N] 
[C> N 2 smVc/iV] iV 2 sin 2 [vrrc/iV] 1 j 

-P(c) is illustrated for n = 21 = 3 • 7 and x = 10 in Fig. ^ The QC register 
size qA = \^og 2 n] = 9 making N = 256 
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Figure 2: 

The shape of the peaks of the probability distribution P{c). 

The function Q with c replaced by a real continuous variable a is the 
envelope of the discrete probability distribution. It is periodic and has peaks 
at 

a u = -N; i/ = 0,l,...r-l (10) 
r 

Let c v denote the integer part of a u 

c v = [ovj = <t v — 8„; ; < 8 V < 1 (11) 

The parameters are illustrated in Fig. El 

The output c = c v + d from the quantum computer is characterized 
by two random variables, the displacement parameter 5 U , and the integer 
valued parameter d = c — c v representing the deviation within the peak. 

3 Post quantum calculations 

The ratio rjv is estimated as the largest convergent with nominator less 
than n in a continued fractions expansion of N/ c. This procedure generates 



the fraction rjv closest to N/c, see e.g. 0, Theorem 181. 
The algorithm is based on the relation 



x r -1 = (x r / 2 + l){x r ' 2 - 1) = (mod n) (12) 
which shows (means?) that the factors p\ and p2 are possible divisors of 

(W 2 ± i). 

To obtain a correct value of r/v the ratio c/N must not be too far from 
v/r The incorrect value closest the correct v/r is {y + l)/(r + 1). The 
difference 

A = ^-^ = ^_ (13) 
r + 1 r r[r + lj 

takes its lowest value A = l/r(r + 1) for v = r — 1. The maximal value of r 
is less than n—1 and A m j n > l/(n — l)n The difference between the correct 
v/r and c/N is 

For N > n 2 the distances A c (0) and A c (l) are both less than A m j n and the 
continued fractions expansion always produces the correct order r, when 
d = or d = 1. 

Substitution of c = vN/r + d — 5 V into ((HI) yields 

V(A 1 ^ sin 2 [7r(M + \)v + 7r(M + l)r(d - 6 V )/N] 
{> sin 2 [vri, + nr(d-5 u )/N] { ' 

The factor (M + l)r/N = 1 — e with e < r/N < 1/n and since r/N is small 

sin 2 (7r^) 

p(d) = , 2 (d-5 u y (16) 

is an accurate approximation. The probability, averaged over dp, that d — 
or d = 1 is equal to 0.902. 

For more common values of r and v the probability of an incorrect result 
is much smaller and the continued fractions procedure can safely be assumed 
to produce a ratio vjr with r is the correct order of x (mod n) and u an 
unknown random number v = 1, 2, . . . r — 1. Trying neighboring states, as 
has been suggested in the literature, i.e 2 p 320, will have no effect. 

The relation (|12j) requires r to be even and since all even values of v will 
have at least a factor 2 in common with r the probability that r and v are 
relatively prime and the correct order r is obtained directly is less than 0.5. 

The algorithm fails when v = 0, the probability for this is equal to 1/r 
and can usually be neglected. 
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4 Generation of the integer x 



The properties of x is of fundamental importance for the function of the 
prime factorization algorithm. As shown below, for a random x and n the 
probability that the factorization procedure fails is 1/3. 

Consider two prime numbers p\ and P2 together with an arbitrary integer 
x. Let n and denote the order of x mod p\ and mod P2 respectively. The 
order r of n = PYP2 is equal to lcm(rir2), the least common multiplier of 
ri and r-i- The factorization procedure fails when r is odd i.e when both t\ 
and r<i are odd. With the assumption that a random x generates random 
and independent values of r\ and r2 and the probability of both being odd 
is P(A) = 1/4. 

The only other case when the procedure fails is when 

x r/2 = -1 (mod n) (17) 

in which case gcd(x r / 2 — 1) = 1 and gcd(x r / 2 + 1) = n. 

The relation (|17|) is satisfied only if both T\ and T2 are even and contain- 
ing identical factors 2 k which for random n and T2 occurs with probability 

oo 
k=l 

making the total probability of failure P{A) + P(B) = ^ 

Ekert and Jozsa |4) assume n fixed but arbitrary and showed that 

Pr[r odd or x r ^ 2 = — 1 (mod n)] < 1/2 

If x contains any of the prime factors of n the equation x r = 1 (mod n) has 
no solution and the algorithm fails. The probability for this is extremely 
small for any sizable values of n. It is easy to test gcd(x, n) before using x 
and if there is a common factor no QC calculation is needed. 

5 Conclusions 

For a quantum computer of size qA = 2rn factorizing an m bit number 
the output from the post quantum calculations is the correct order r or 
r out = r /fJ- with ix a factor common to r and v. It is easy to check if 
x r ° ut = 1 (mod n) and if not the unknown li may be found by trial or 
possibly by a more a efficient algorithm. From simulation results 1 it has 
been observed that one of the prime factors can sometimes be obtained by 
the gcd algorithm from r//j.An alternative is to rerun the QC with the same 
xto generate a new output c. 

1 Quantum Computer simulation programs are available at 
http/ /www. s3.kth.se/~einarson/ 
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If the final value of r is either odd or satisfies (|17|) the algorithm fails 
and the QC has to be run with a new x, which means that the quantum 
circuitry needs to be modified. 
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